bump 2.3.14.github41

Dup string before changing encoding because it might be frozen

RAILS_VERSION

@@ -1 +1 @@
-2.3.14.github36
+2.3.14.github41

actionpack/lib/action_controller/benchmarking.rb

@@ -87,7 +87,6 @@ module ActionController #:nodoc:
           log_message << " [#{complete_request_uri rescue "unknown"}]"
 
           logger.info(log_message)
-          response.headers["X-Runtime"] = "%.0f" % ms
         else
           perform_action_without_benchmark
         end

actionpack/lib/action_controller/session/cookie_store.rb

@@ -103,6 +103,13 @@ module ActionController
         request = ActionController::Request.new(env)
 
         if !(options[:secure] && !request.ssl?) && (!session_data.is_a?(AbstractStore::SessionHash) || session_data.loaded? || options[:expire_after])
+
+          # Backport standard Rack::Session::Cookie behavior
+          # Skip writing session if env['rack.session.options'][:skip] is set
+          if options[:skip]
+            return [status, headers, body]
+          end
+
           session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.loaded?
 
           persistent_session_id!(session_data)

actionpack/lib/action_view/helpers/number_helper.rb

@@ -73,6 +73,8 @@ module ActionView
       def number_to_currency(number, options = {})
         options.symbolize_keys!
 
+        options[:format]    = ERB::Util.html_escape(options[:format]) if options[:format]
+
         defaults  = I18n.translate(:'number.format', :locale => options[:locale], :raise => true) rescue {}
         currency  = I18n.translate(:'number.currency.format', :locale => options[:locale], :raise => true) rescue {}
         defaults  = defaults.merge(currency)

actionpack/test/template/number_helper_test.rb

@@ -3,6 +3,12 @@ require 'abstract_unit'
 class NumberHelperTest < ActionView::TestCase
   tests ActionView::Helpers::NumberHelper
 
+  def test_number_helpers_escape_delimiter_and_separator
+    assert_equal "$1&lt;script&gt;&lt;/script&gt;01", number_to_currency(1.01, :separator => "<script></script>")
+    assert_equal "$1&lt;script&gt;&lt;/script&gt;000.00", number_to_currency(1000, :delimiter => "<script></script>")
+    assert_equal "&lt;script&gt;1,000.00$&lt;/script&gt;", number_to_currency(1000, :format => "<script>%n%u</script>")
+  end
+
   def test_number_to_phone
     assert_equal("555-1234", number_to_phone(5551234))
     assert_equal("800-555-1212", number_to_phone(8005551212))

activerecord/lib/active_record/connection_adapters/abstract_adapter.rb

@@ -195,7 +195,9 @@ module ActiveRecord
       def log_info(sql, name, ms)
         if @logger && @logger.debug?
           name = '%s (%.1fms)' % [name || 'SQL', ms]
-          sql.force_encoding 'binary' if sql.respond_to?(:force_encoding)
+          if sql.respond_to?(:force_encoding)
+            sql = sql.dup.force_encoding 'binary'
+          end
           @logger.debug(format_log_entry(name, sql.squeeze(' ')))
         end
       end

activesupport/lib/active_support/core_ext/kernel.rb

@@ -1,5 +1,4 @@
 require 'active_support/core_ext/kernel/daemonizing'
 require 'active_support/core_ext/kernel/reporting'
-require 'active_support/core_ext/kernel/agnostics'
 require 'active_support/core_ext/kernel/requires'
 require 'active_support/core_ext/kernel/debugger'

activesupport/lib/active_support/core_ext/kernel/agnostics.rb

@@ -1,11 +0,0 @@
-class Object
-  # Makes backticks behave (somewhat more) similarly on all platforms.
-  # On win32 `nonexistent_command` raises Errno::ENOENT; on Unix, the
-  # spawned shell prints a message to stderr and sets $?.  We emulate
-  # Unix on the former but not the latter.
-  def `(command) #:nodoc:
-    super
-  rescue Errno::ENOENT => e
-    STDERR.puts "#$0: #{e}"
-  end
-end